cjis: Security Compliance

 
Security Compliance
 
 
To view documents in Adobe PDF format either get the Adobe Reader OR use the Adobe PDF Converter.
 
 
{Security}
Because of their secure nature, access to Connecticut Justice Information System (CJIS) initiatives is presently allowed only on certified COLLECT devices. However, requests were brought before the CJIS Governing Board to allow access of these applications from other than COLLECT devices. Therefore, a committee which included representation from the Executive and Judicial Branches of State government, as well as municipal law enforcement, was created by the Board to recommend a solution.

Using industry “best practices” and policy set by the U.S. Department of Justice, Federal Bureau of Investigation (FBI), Criminal Justice Information Services Division within its CJIS Security Policy as a basis, the committee created a document that declares what the State requires of a criminal justice site in order to safely access the Connecticut CJIS initiatives. It should be noted that, at the request of the Department of Public Safety, a separate appendix within the document further declares additional requirements concerning COLLECT devices.

Therefore, in order to provide widespread access to various Connecticut Justice Information System (CJIS) initiatives and to safeguard CJIS data against malicious damage, the CJIS Governing Board adopted the  CJIS Security Requirements and Recommendations on March 17, 2005.

With their adoption, the Board also requested that a process be put in place in order for locations to assess their vulnerability and to attain certification with the approved policy. The committee created the process described below and delegated the responsibility of the administration of the process to the Department of Information Technology (DOIT) CJIS Support Group. Without certification, a location is limited to only COLLECT devices and is responsible for stating that requirement to their users of the CJIS initiatives.

 
Compliance Assessment
{ } The first phase of the process is for an agency to assess itself in order to ultimately attain certification. The CJIS Security Compliance Assessment (CJIS-2) Form provides a series of technical questions that follow the security requirements. A separate form MUST be completed and submitted for every location within an agency that has a separate networked LAN that requires access to CJIS applications.
 
{ } { }  Click here for Assessment Form    |   Assessment Form (Word Version) 

  • Each section should be completed by the agency’s technician responsible for the administration of the network for that location. This individual should have intimate knowledge of the subnet or LAN d all devices attached to it.
    { }
  • The technician should perform each assessment by examining present compliance as outlined in the { }
The form is submitted to the CJIS Support Group for evaluation and a response is supplied to either progress to the second phase or that certain items must be remedied in order to progress to the second phase of certification. The CJIS Support Group will also be available to assist the agency with recommendations concerning additional hardware or software needed to remedy any issues.
 
 
Compliance Certification
{ } The second phase of the process is for an agency that believes they are already in compliance with the  CJIS Security Requirements and Recommendations or has remedied the issues found in the assessment phase and is now ready to request certification. The CJIS Security Compliance Certification (CJIS-3) Form is used for this purpose. A separate form MUST be completed and submitted for every location within an agency that has a separate networked LAN that requires access to CJIS applications.

{ } { } Certification Form    |   Certification Form (Word Version)

  • { } Each section should be completed by the Agency’s Information Technology Manager/Supervisor responsible for the administration of the network for that location. This individual should have knowledge of the subnet or LAN and all devices attached to it. If needed, the individual should call upon the Agency’s technician(s) for assistance. 
    { }
  • The manager/supervisor should certify each “YES/ NO” question by examining present compliance as outlined in the { }
  • The form is submitted to the CJIS Support Group for evaluation and certification is granted or a response is supplied that certain items must be remedied in order to attain final certification.
{ } If you are CJIS community partner and have additional security questions, please contact us:
 
CJIS Support Group
55 Farmington, 11th floor
Hartford, CT 06105
Phone: (860) 622-2000
 
 

FBI CJIS Security Policy 
{ }
The CJIS Security Policy is considered to be Sensitive But Unclassified (SBU) material. This policy may not be posted to a public website and discretion must be exercised in sharing the contents of the policy with individuals and entities who are not engaged in law enforcement or the administration of criminal justice. 

For these reasons, please access the policy and its addendum from within the State-provided Secure System Site, or log on to the FBI CJIS Division's Law Enforcement Online secure web site to obtain a copy.




Content Last Modified on 5/17/2017 3:03:40 PM